Jumping ahead a bit here. I'll come back to the rest shortly, but it's Sunday night, so just want to whizz through these. Most of the last ones are just common sense - isolation of virus'd computers, install AV etc etc.
7.0 Security Policies and Procedures, Best Practices, and Standards
7.1 Security policy elements
Definition of what it means to be secure for a system, organization or other entity. Addresses constraints on behaviour on members (staff) as well as adversaries (doors, locks, keys and walls). Implements RBAC for systems access.7.2 Information security standards (for example, ISO/IEC 27001 and ISO/IEC 27002)
27001 formally specifies a management system that is intended to bring information security under explicit management control. Mandates specific requirements.Was BS 7799, then BS 7799-2
Requirements:
Management should:
- Systematically examine origination’s security risks (threats, vulnerabilities and impacts)
- Design & implement a coherent and comprehensive suite of information security controls
- Adopt an overarching management process to ensue information security control continue to meet the organisations information security needs
Revolves around ISMS - (Information Security Management System)
Plan, Do, Check, Act.
Domains:
Asset Management - Documents assets of company or scope in question
Asset register
Asset classification
Asset Labelling
Access control - implementation of access controls across all information processing systems (operating systems, applications etc)
User Registration
Passwprd Management
Clear Work Environment
Operating System & Application Controls
Network Security
27002 - Information Security standard - code of practice for information security management
14 domains:
Security policy - management direction
Organisation of Information Security - governance
Human Resources security - security aspects for employees, joining, moving, and leaving organization
Asset Management - inventory & classification
Access control - restriction of access rights to network, systems, data
Cryptography
Physical & Environmental security - protect of computer facilities
Operation Security procedures and responsibilities
Communication Security
System acquisition
supplier relationships
information security incident management
information security aspects of BCP
compliance
7.3 Standards bodies (for example, ISO, IEC, ITU, ISOC, IETF, IAB, IANA, and ICANN)
ISO - International Organisation for StandardizationIndependent, non-governmental. 164 member countries.
Member bodies - considered the most representative standards body in each country. The only ones that have voting rights.
Correspondent members - countries that do not have own standards organization
Subscribers - countries w/ small economies. pay reduced fees.
IEC - International Electrotechnical Commission
Works closely w/ ISO - concerned w/ electronics
ITU - International Telecommunication Union - information & communication techniques
ISOC - Internet Society 0 internet related standards. Parent company of IETF
IETF - Internet Engineering Task Force - Develops and promotes voluntary Internet Standards- i.e TCP/IP suite
IAB - Internet Architecture Board - committee charged with oversight of technical and engineering development of the Internet by the ISOC.
IANA - Internet Assigned Numbers Authority. Department of ICANN
ICANN - Internet Corporation for Assigned Names and Numbers - Looks after TLDs, DNS root
7.4 Industry best practices (for example, SOX and PCI DSS)
SOX - Sarbanes-Oxley Act - Public Accounting reform and Investor Protection Act / Corporate and Auditing Accountability and Responsibility Act.Came about after Enron & Worldcom. Criminal penalties for misconduct, required the SEC to create regulations defining how public companies comply with the law. US Law - not really a “best-practice”.
PCI DSS - Payment Card Industry Data Security Standard - proorietary security standard, increases controls around cardholder data to reduce credit card fraud. Uses a Qualified Security Assessor (QSA).
Objectives:
Build and maintain a secure network (install and and maintain a firewall, do not use vendor-supplied defaults for passwords)
Protect Cardholder data (protect cardholder data, encrypt transmission of cardholder data)
Maintain a vulnerability management program (use AV software, develop and maintain secure systems)
Implement strong access controls (restrict access to cardholder data by business need-to-know, assign a unique ID to each person w/ computer access (no shared accounts), restrict physical access to cardholder data)
Regularly monitor and test networks (track and monitor all access, regularly test security systems and processes)
Maintain an information security policy (maintain a policy that addresses information security)
HIPAA - Health Insurance Portability and Accountability Act - protects health insurance coverage for workers when lose or change jobs, national standards for electronic health cate transactions
GLBA - Gramm-Leach-Bliley Act - financial Services Modernisation Act (1999) - removed prohibition of any one institution acting as investment bank, commercial bank and insurance company. Citicorp (holding company) merged w/ Travellers group - to form Citigroup - had to get waiver from Federal reserve until Glibba came in.
7.5 Common RFC and BCP (for example, RFC2827/BCP38, RFC3704/BCP84, and RFC5735)
RFC2827 - network ingress filtering - defeating DoS attacks that use IP source address spoofingBCP38
RFC3704 - ingress filtering for multimode networks
BCP84
RFC5735 - Special Use IP addresses
7.6 Security audit and validation
7.7 Risk assessment
Establish the contextIdentify the risks
Analyze the risks
Evaluate & prioritize the risks
Tackle the risks